Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in / Register
Toggle navigation
F
ffmpeg.wasm-core
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Linshizhi
ffmpeg.wasm-core
Commits
1a25c336
Commit
1a25c336
authored
Oct 28, 2014
by
Tomas Härdin
Committed by
Michael Niedermayer
Oct 28, 2014
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
mxfdec: Tighten RIP length bounds in mxf_read_random_index_pack()
Signed-off-by:
Michael Niedermayer
<
michaelni@gmx.at
>
parent
b83affdc
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
25 additions
and
2 deletions
+25
-2
mxfdec.c
libavformat/mxfdec.c
+25
-2
No files found.
libavformat/mxfdec.c
View file @
1a25c336
...
@@ -2261,16 +2261,33 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
...
@@ -2261,16 +2261,33 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
{
{
MXFContext
*
mxf
=
s
->
priv_data
;
MXFContext
*
mxf
=
s
->
priv_data
;
uint32_t
length
;
uint32_t
length
;
int64_t
file_size
;
int64_t
file_size
,
max_rip_length
,
min_rip_length
;
KLVPacket
klv
;
KLVPacket
klv
;
if
(
!
s
->
pb
->
seekable
)
if
(
!
s
->
pb
->
seekable
)
return
;
return
;
file_size
=
avio_size
(
s
->
pb
);
file_size
=
avio_size
(
s
->
pb
);
/* S377m says to check the RIP length for "silly" values, without defining "silly".
* The limit below assumes a file with nothing but partition packs and a RIP.
* Before changing this, consider that a muxer may place each sample in its own partition.
*
* 105 is the size of the smallest possible PartitionPack
* 12 is the size of each RIP entry
* 28 is the size of the RIP header and footer, assuming an 8-byte BER
*/
max_rip_length
=
((
file_size
-
mxf
->
run_in
)
/
105
)
*
12
+
28
;
max_rip_length
=
FFMIN
(
max_rip_length
,
INT_MAX
);
//2 GiB and up is also silly
/* We're only interested in RIPs with at least two entries.. */
min_rip_length
=
16
+
1
+
24
+
4
;
/* See S377m section 11 */
avio_seek
(
s
->
pb
,
file_size
-
4
,
SEEK_SET
);
avio_seek
(
s
->
pb
,
file_size
-
4
,
SEEK_SET
);
length
=
avio_rb32
(
s
->
pb
);
length
=
avio_rb32
(
s
->
pb
);
if
(
length
<=
32
||
length
>=
FFMIN
(
file_size
,
INT_MAX
))
if
(
length
<
min_rip_length
||
length
>
max_rip_length
)
goto
end
;
goto
end
;
avio_seek
(
s
->
pb
,
file_size
-
length
,
SEEK_SET
);
avio_seek
(
s
->
pb
,
file_size
-
length
,
SEEK_SET
);
if
(
klv_read_packet
(
&
klv
,
s
->
pb
)
<
0
||
if
(
klv_read_packet
(
&
klv
,
s
->
pb
)
<
0
||
...
@@ -2281,6 +2298,12 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
...
@@ -2281,6 +2298,12 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
avio_skip
(
s
->
pb
,
klv
.
length
-
12
);
avio_skip
(
s
->
pb
,
klv
.
length
-
12
);
mxf
->
footer_partition
=
avio_rb64
(
s
->
pb
);
mxf
->
footer_partition
=
avio_rb64
(
s
->
pb
);
/* sanity check */
if
(
mxf
->
run_in
+
mxf
->
footer_partition
>=
file_size
)
{
av_log
(
s
,
AV_LOG_WARNING
,
"bad FooterPartition in RIP - ignoring
\n
"
);
mxf
->
footer_partition
=
0
;
}
end:
end:
avio_seek
(
s
->
pb
,
mxf
->
run_in
,
SEEK_SET
);
avio_seek
(
s
->
pb
,
mxf
->
run_in
,
SEEK_SET
);
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment